Self-attesting secure blueprints

What is claimed is: 1 . A method for managing operation of an endpoint device, the method comprising: obtaining a blueprint for use with respect to the endpoint device; attempting to establish a chain of delegations from a root of trust for the endpoint device to an author associated with the blueprint, the delegations granting authority to the author to create blueprints to be used with, at least, the endpoint device; in a first instance of the attempting where the chain of delegations is successfully established: using the blueprint to update operation of the endpoint device to obtain an updated endpoint device, and providing first computer implemented services using the updated endpoint device; and in a second instance of the attempting where the chain of delegations is not successfully established: rejecting use the blueprint to update operation of the endpoint device, and providing second computer implemented services using the endpoint device. 2 . The method of claim 1 , wherein in the first instance a permissions section of the blueprint comprises: a public key of the author; a first statement granting the author authority to create the blueprint; a second statement limiting applicability of the first statement; and a signature. 3 . The method of claim 2 , wherein attempting to establish the chain of delegations comprises: identifying an entity that authorized creation of the signature; and looking for cryptographically verifiable delegations that grant the entity the authority to create the blueprint. 4 . The method of claim 3 , wherein looking for the cryptographically verifiable delegations comprises: parsing a database in which copies of certificates that comprise delegation statements. 5 . The method of claim 2 , wherein the second statement facilitates discrimination of a first portion endpoint devices from a second portion of endpoint devices, the first portion and the second portion being managed by at least one orchestrator, and the orchestrator being tasked with using the blueprint to manage the first portion and the second portion. 6 . The method of claim 5 , wherein the blueprint is a non-customized blueprint. 7 . The method of claim 6 , wherein using the blueprint comprises: customizing the non-customized blueprint to obtain a customized blueprint; and providing the customized blueprint to the endpoint device. 8 . The method of claim 7 , wherein customizing the blueprint comprises: replacing parameters in the blueprint with values selected by the orchestrator. 9 . The method of claim 8 , wherein the signature is usable to verify integrity of static content of the blueprint while excluding the values selected by the orchestrator. 10 . The method of claim 1 , wherein the blueprint is a customized blueprint comprising a portion of content substituted by an orchestrator into a signed blueprint, a signature of the customized blueprint being usable to verify integrity of static content of the customized blueprint that excludes the portion of content substituted by the orchestrator. 11 . A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for managing an endpoint device, the operations comprising: obtaining a blueprint for use with respect to the endpoint device; attempting to establish a chain of delegations from a root of trust for the endpoint device to an author associated with the blueprint, the delegations granting authority to the author to create blueprints to be used with, at least, the endpoint device; in a first instance of the attempting where the chain of delegations is successfully established: using the blueprint to update operation of the endpoint device to obtain an updated endpoint device, and providing first computer implemented services using the updated endpoint device; and in a second instance of the attempting where the chain of delegations is not successfully established: rejecting use the blueprint to update operation of the endpoint device, and providing second computer implemented services using the endpoint device. 12 . The non-transitory machine-readable medium of claim 11 , wherein in the first instance a permissions section of the blueprint comprises: a public key of the author; a first statement granting the author authority to create the blueprint; a second statement limiting applicability of the first statement; and a signature. 13 . The non-transitory machine-readable medium of claim 12 , wherein attempting to establish the chain of delegations comprises: identifying an entity that authorized creation of the signature; and looking for cryptographically verifiable delegations that grant the entity the authority to create the blueprint. 14 . The non-transitory machine-readable medium of claim 13 , wherein looking for the cryptographically verifiable delegations comprises: parsing a database in which copies of certificates that comprise authority delegation statements. 15 . The non-transitory machine-readable medium of claim 12 , wherein the second statement facilitate discrimination of a first portion endpoint devices from a second portion of endpoint devices, the first portion and the second portion being managed by at least one orchestrator, and the orchestrator being tasked with using the blueprint to manage the first portion and the second portion. 16 . A system, comprising: a processor; and a memory coupled to the processor to store instructions, which when executed by the processor, cause operations for managing an endpoint device to be performed, the operations comprising: obtaining a blueprint for use with respect to the endpoint device; attempting to establish a chain of delegations from a root of trust for the endpoint device to an author associated with the blueprint, the delegations granting authority to the author to create blueprints to be used with, at least, the endpoint device; in a first instance of the attempting where the chain of delegations is successfully established: using the blueprint to update operation of the endpoint device to obtain an updated endpoint device, and providing first computer implemented services using the updated endpoint device; and in a second instance of the attempting where the chain of delegations is not successfully established: rejecting use the blueprint to update operation of the endpoint device, and providing second computer implemented services using the endpoint device. 17 . The endpoint device of claim 16 , wherein in the first instance a permissions section of the blueprint comprises: a public key of the author; a first statement granting the author authority to create the blueprint; a second statement limiting applicability of the first statement; and a signature. 18 . The endpoint device of claim 17 , wherein attempting to establish the chain of delegations comprises: identifying an entity that authorized creation of the signature; and looking for cryptographically verifiable delegations that grant the entity the authority to create the blueprint. 19 . The endpoint device of claim 18 , wherein looking for the cryptographically verifiable delegations comprises: parsing a database in which copies of certificates that comprise authority delegation statements. 20 . The endpoint device of claim 17 , wherein the second statement facilitate discrimination of a first portion endpoint device